Sneed-Reactivity/yara-mikesxrs/h3x2b/lin_irctelnet.yara

108 lines
3.5 KiB
Text
Raw Normal View History

rule irctelnet__loader: malware linux
{
meta:
author = "@h3x2b <tracker@h3x.eu>"
description = "Detects dropper of the irctelnet - 20161102"
//Check also:
// http://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html
// http://tracker.h3x.eu/info/850
// http://tracker.h3x.eu/corpus/850
//Samples:
strings:
$x_00 = "mkdir -p "
$x_01 = "&& rm -f "
$x_02 = "ftpget -u ftp "
$x_03 = "2>&1 ||"
$x_04 = "wget -O"
$x_05 = "tftp -g -r"
$x_06 = "2>&1 &&"
$x_07 = "chmod +x "
$x_08 = "&& sh "
condition:
//Contains all of the strings
all of ($x_*)
}
rule irctelnet__installer: malware linux
{
meta:
author = "@h3x2b <tracker@h3x.eu>"
description = "Detects malicious payload of the irctelnet - 20161102"
//Check also:
// http://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html
// http://tracker.h3x.eu/info/850
// http://tracker.h3x.eu/corpus/850
//Samples:
strings:
$x_00 = "x32bin="
$x_01 = "armbin="
$x_02 = "mpsbin="
//$x_03 = "mp1bin="
$x_04 = "ppcbin="
$x_05 = "sphbin="
$x_06 = "sprbin="
$x_07 = "ulimit -n 4096"
$x_08 = "ip="
$x_09 = "dir="
$x_10 = "me="
$x_11 = "killall -9 $"
$x_12 = "rm -f $"
$x_13 = "wget -O $"
$x_14 = " && chmod +x $"
$x_15 = " && $"
condition:
//Contains all of the strings
all of ($x_*)
}
rule irctelnet__payload: malware linux
{
meta:
author = "@h3x2b <tracker@h3x.eu>"
description = "Detects malicious payload of the irctelnet - 20161102"
//Check also:
// http://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html
// http://tracker.h3x.eu/info/850
// http://tracker.h3x.eu/corpus/850
//Samples:
strings:
$irc_00 = "PASS %s"
$irc_01 = "NICK %s"
$irc_02 = "USER %s . . : ."
$irc_03 = "USER d3x . . : ."
$irc_04 = "ERROR"
$irc_05 = "-sh"
$irc_06 = "GET / HTTP/1.0"
$irc_07 = "Host: %s"
$x_00 = "ogin:"
$x_01 = "assword:"
$x_02 = "ncorrect"
$x_03 = "failed"
$x_04 = "built-in commands"
$x_05 = "seconds"
$x_06 = "shell"
$x_07 = "(y/N)"
$x_08 = "free"
$x_09 = "mkdir -p %s && rm -f %s/*; ftpget -u ftp %s %s/%s %s 2>&1 || wget -O %s/%s http://%s/%s 2>&1 || tftp -g -r "
$x_10 = "/etc/firewall_stop"
condition:
//ELF magic
uint32(0) == 0x464c457f and
//Contains all of the irc strings
all of ($irc_*) and
//Contains all of the specific strings
all of ($x_*)
}